An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data
-
Upload
syeda-yasmeen -
Category
Engineering
-
view
144 -
download
5
Transcript of An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data
![Page 1: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/1.jpg)
An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data
![Page 2: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/2.jpg)
ABSTRACT• Current approaches to enforce fine-grained access control on confidential
data hosted in the cloud are based on fine-grained encryption of the data. Under such approaches, data owners are in charge of encrypting the data. Data owners thus incur high communication and computation costs.
• A better approach should delegate the enforcement of fine-grained access. We propose an approach, based on two layers of encryption, that addresses such requirement. In our approach, the data owner performs a coarse-grained encryption, whereas the cloud performs a fine-grained encryption on top of the owner encrypted data.
• A challenging issue is how to decompose access control policies (ACPs) such that the two layer encryption can be performed.
2
![Page 3: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/3.jpg)
Outline •Introduction •Group Key Management (GKM) –Attribute Based Systems and GKM Requirements –Broadcast GKM (BGKM) –Attribute-Based GKM (AB-GKM) •Privacy Preserving –SLE (Single Layer Encryption) Approach –TLE (Two Layer Encryption) Approach
![Page 4: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/4.jpg)
Before Data outsourcing
Data
Bob
Alice
Tim
Organization
![Page 5: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/5.jpg)
In cloud computing Era
Data
CloudOrganization
Bob
Alice
Tim
![Page 6: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/6.jpg)
In cloud computing Era
Data
CloudOrganization
Bob
Alice
Tim
Encrupted & upload
Download & decrypt
![Page 7: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/7.jpg)
How to control Access ? Different users have access to different documents. Bob is a Doctor and has access to medical report .Alice is a Nurse & has access to clinical records.
MR2MR1
MR3 MR4
MR5
CR1
CR3
CR2
CR4Alice
Key2
Key1
Bob
![Page 8: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/8.jpg)
What cryptosystem to use ? Public key cryptosystem (PKC)— public key infrastructure(PKI)—Attribute based encryption (ABE)
symmetric key cryptosystem—Group key management (GKM)
![Page 9: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/9.jpg)
Traditional PKI
PubA (CR1)
PubB (MR1)
PubT (MR1)
PubA(CR1)
PubB(MR1)
PubA(CR1)
PubT(MR1)
PubB (MR1)
PubT (MR1)
organizationcloud
Bob
(Doctor)
Alice
(Nurse)
Tim
(Doctor)
PubB/PriB
PubA/PriA
PubT/Pri T
![Page 10: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/10.jpg)
Attribute Based Encryption (ABE)
Nurse (CR1)
Doctor(MR1)
Nurse(CR1)
Doctor(MR1)
Nurse(CR1)
Doctor(MR1)
Doctor(MR1)
organizationcloud
Bob
(Doctor)
Alice
(Nurse)
Tim
(Doctor)
Pri B
Pri A
Pri T
![Page 11: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/11.jpg)
Attribute Based system
User Attribute
Level=senior
Role=DoctorAge=51
Role=Nurse
Level =senior
Role=Doctor
Level=junior
Bob Alice Tim
٭ ٭
![Page 12: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/12.jpg)
Broadcast GKM
GC Public info +
S1
S2
S3
Instead of giving keys ,give some secrets to derive the key using public
info.
Contains the policy
![Page 13: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/13.jpg)
How BGKM works
GC S1
S3
S2
Bob
Tim
Alice
K
PIEk(Data)
S1
S3
DATA
(3)Upload encrypted data& PI
(2)Using secrets genrate symmetric key & public info PI
(1)Issue secrets
PI
(4)Download encrypted data & PI
K
Derive key using PI
Derive key using PI
![Page 14: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/14.jpg)
Attribute Based GKM(AB-GKM)
OR AND
Level >= seniorRole=Doctor Level>=senior
Role=Nurse
Level =senior
Role=DoctorAge =51 Level=senior
Role=Nurse
Level=junior
Role=Doctor
s4
s1
s5
s3
s1
s4
s2
x
![Page 15: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/15.jpg)
Single layer encryption
User IdP
Owner
User
Cloud
(3) Selectively encrypt & upload
(1) Register identity tokens
(5) Download to re-encrypt
(2) Secrets
(4) Download & decrypt
(1)Identity attribute
(2) Identity token
![Page 16: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/16.jpg)
Privacy Preserving of Id. Attributes
16
Server
“I am a doctor”
“Here’s a secret”
Tim
•Registration:
![Page 17: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/17.jpg)
Privacy Preserving of Id. Attributes
Server
“I am a doctor”
“Here’s a secret” Tim
•Privacy Preserving Registration*:
Commitment
Envelope
Unconditionally hiding and computationally binding
An encrypted message
*OCBE – Oblivious Commitment Based Envelope
![Page 18: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/18.jpg)
Extending the SLE Approach • In the SLE approach 1.The Owner has to manage all the identity attributes
and perform the fine grained encryption
2.If the user credentials or access control policies change, the owner has to download, decrypt, rekey, re-encrypt and upload .
![Page 19: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/19.jpg)
Can we reduced the load at Owner? •How can we delegate the access control enforcement
to the cloud? –Use two layer encryption •A naïve approach –The owner encrypts each data item according to the
ACPs –The Cloud re-encrypts according to the ACPs again
![Page 20: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/20.jpg)
Two Layer Dynamic Encryption
Owner
User
cloud
user IdP
(1) Identity Attribute
(2) Identity Token
(5) Re-encrypt to enforce policies
(1) Decompose policies
(4) coarse-grained enc. & upload docs & modified policies
(2) Register identity token
(2) Register identity token
(3) Secre
ts (3) Secrets
(6) Download & Decrypt twice
![Page 21: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/21.jpg)
Two Layer Encryption •In order to reduce the load at the Owner, the ACPs
should be decomposed to two such that –The owner performs a coarse-grained encryption –The cloud performs a fine-grained encryption •At the same time –The confidentiality of the data should be assured –The two layers together should enforce the ACP •ACP = ACP1 ˄ ACP2
DATACloud
Owner
![Page 22: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/22.jpg)
Policy Decomposition Problem •In order to minimize the load at the Owner –The Owner should manage only the minimum of
number of attributes •Policy Cover Problem: Find the minimum number of
attribute conditions in ACPs that assures the confidentiality from the Cloud.
![Page 23: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/23.jpg)
A Simplified Example ACP1 = (“role = doc” ˅ (“role = nur” ˄ “type >= junior”), CI) ACP2 = (“role = doc” ˄ “yos >= 5”, BI) ACP3 = (“role = doc” ˄ “ip = 2-out-4”, CR) ACP4 = (role = nur” ˄ “type = senior”, TR)
Minimal ACC = {“role = doc”, “role = nur” }
ACP11 = (“role = doc” ˅ “role = nur”, CI)
ACP21 = ACP31 = (“role = doc”, BI, CR) ACP41 = (role = nur”, TR)
ACP12 = (“role = doc” ˅ “type >= junior”, CI) ACP22 = (“yos >= 5”, BI) ACP32 = (“ip = 2-out-4”, CR) ACP42 = (“type = senior”, TR)
type > = junior
type = senior
role = doc
role =
nur
ip = 2-out-4
yos >= 5
All ACPs
Decomposed ACPs
Policy Cover
Owner enforced sub ACPs
Cloud enforced sub ACPs
Policy Graph
1
4
2
3
![Page 24: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/24.jpg)
CONCLUSIONS• Current approaches to enforce ACPs on outsourced data using selective
encryption require organizations to manage all keys and encryptions and upload the encrypted data to the remote storage. Such approaches incur high communication and computation cost to manage keys and encryptions.
• In this paper, we proposed a two layer encryption based approach to solve this problem by delegating as much of the access control enforcement responsibilities as possible to the Cloud while minimizing the information risks due to colluding Usrs and Cloud.
• We showed how decomposition of ACPs are handle a minimum number of attribute conditions.
24
![Page 25: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/25.jpg)
THANK Q
![Page 26: An Efficient and Secured Storage Delegated Access Control to Maintain confidentiality of Data](https://reader034.fdocuments.us/reader034/viewer/2022051709/587ad3ef1a28ab760f8b737d/html5/thumbnails/26.jpg)